"ESXi Host Certificate Status" alert for ESXI host in vCenter Server
search cancel

"ESXi Host Certificate Status" alert for ESXI host in vCenter Server

book

Article ID: 374032

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

An ESXi host is marked with an alarm stating "ESXi Host Certificate Status" in the vSphere Client. This occurs when the host's SSL certificate is nearing or past its expiration date.

Environment

ESX 7.x

ESX 8.x

ESX 9.x

Cause

vCenter Server monitors all certificates within the VMware Endpoint Certificate Store (VECS). It triggers a Certificate Status alarm (typically 30 days prior to expiry) if any host certificate is close to expiration.

Resolution

For a certificate that is Near Expiry, use the Certificate Management capability within VCF Operations to refresh the certificate.

Method 1: vSphere UI (Preferred)

Follow these steps to renew certificates using the VMware Certificate Authority (VMCA):

  1. Log in to the vSphere Client and select the affected host.
  2. Navigate to the Configure tab.
  3. Under System, select Certificate.
  4. Execute the renewal based on your vCenter version:
    • vCenter 8.0 Update 3 and later: Click MANAGE WITH VMCA in the upper right corner, then select Renew.
    • vCenter versions prior to 8.0 Update 3: Click Renew or Refresh CA Certificates directly.
  5. Click Yes to confirm the operation.

Method 2: Command Line (Emergency Use)

If the host is disconnected or the UI is unresponsive, use an SSH session:

  1. Enable SSH on the ESXi host via the VMware Host Client (Actions > Services > Enable SSH).
  2. Connect to the host using an SSH client (e.g., PuTTY).
  3. Run the following command to regenerate self-signed certificates:
    /sbin/generate-certificates
  4. Restart the host daemon management agent : 
    /etc/init.d/hostd restart
  5. Restart the vCenter Server Agent: 
    /etc/init.d/vpxa restart
  6. Disable SSH once the host returns to a "Normal" status in vCenter.

Additional Information

Prerequisites 

Before attempting to renew or refresh ESXi SSL certificates, you must verify the following:

  • VMCA Root Validity: Ensure the VMCA Root certificate is not expired. Check this via vCenter > Administration > Certificate Management > Trusted Root.
  • Host Connectivity: Affected ESXi hosts must be connected and "Green" in the vCenter inventory.
  • Time & DNS: Verify time synchronization and functional DNS resolution between vCenter and ESXi hosts.
  • Maintenance Mode: Ensure the ESXi hosts are NOT in maintenance mode.
  • Service Health: vCenter MACHINE_SSL_CERT must be valid.

For Custom Certificates

Refer to KB Configuring CA signed certificates for ESXi hosts.

Powered by Wolken Software